Loading...
Helix SwarmHelix Swarm
Loading...

Escaper.php

  • //
  • guest/
  • thomas_gray/
  • jambox/
  • main/
  • swarm/
  • library/
  • Zend/
  • Escaper/
  • Escaper.php #1
  • View
  • Commits
  • Open Download .zip Download (12 KB) 
  1. <?php
  2. /**
  3.  * Zend Framework (http://framework.zend.com/)
  4.  *
  5.  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  6.  * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com)
  7.  * @license   http://framework.zend.com/license/new-bsd New BSD License
  8.  */
  9.  
  10. namespace Zend\Escaper;
  11.  
  12.  
  13. /**
  14.  * Context specific methods for use in secure output escaping
  15.  */
  16. class Escaper
  17. {
  18.     /**
  19.      * Entity Map mapping Unicode codepoints to any available named HTML entities.
  20.      *
  21.      * While HTML supports far more named entities, the lowest common denominator
  22.      * has become HTML5's XML Serialisation which is restricted to the those named
  23.      * entities that XML supports. Using HTML entities would result in this error:
  24.      *     XML Parsing Error: undefined entity
  25.      *
  26.      * @var array
  27.      */
  28.     protected static $htmlNamedEntityMap = array(
  29.         34 => 'quot',         // quotation mark
  30.         38 => 'amp',          // ampersand
  31.         60 => 'lt',           // less-than sign
  32.         62 => 'gt',           // greater-than sign
  33.     );
  34.  
  35.     /**
  36.      * Current encoding for escaping. If not UTF-8, we convert strings from this encoding
  37.      * pre-escaping and back to this encoding post-escaping.
  38.      *
  39.      * @var string
  40.      */
  41.     protected $encoding = 'utf-8';
  42.  
  43.     /**
  44.      * Holds the value of the special flags passed as second parameter to
  45.      * htmlspecialchars(). We modify these for PHP 5.4 to take advantage
  46.      * of the new ENT_SUBSTITUTE flag for correctly dealing with invalid
  47.      * UTF-8 sequences.
  48.      *
  49.      * @var string
  50.      */
  51.     protected $htmlSpecialCharsFlags = ENT_QUOTES;
  52.  
  53.     /**
  54.      * Static Matcher which escapes characters for HTML Attribute contexts
  55.      *
  56.      * @var callable
  57.      */
  58.     protected $htmlAttrMatcher;
  59.  
  60.     /**
  61.      * Static Matcher which escapes characters for Javascript contexts
  62.      *
  63.      * @var callable
  64.      */
  65.     protected $jsMatcher;
  66.  
  67.     /**
  68.      * Static Matcher which escapes characters for CSS Attribute contexts
  69.      *
  70.      * @var callable
  71.      */
  72.     protected $cssMatcher;
  73.  
  74.     /**
  75.      * List of all encoding supported by this class
  76.      *
  77.      * @var array
  78.      */
  79.     protected $supportedEncodings = array(
  80.         'iso-8859-1',   'iso8859-1',    'iso-8859-5',   'iso8859-5',
  81.         'iso-8859-15',  'iso8859-15',   'utf-8',        'cp866',
  82.         'ibm866',       '866',          'cp1251',       'windows-1251',
  83.         'win-1251',     '1251',         'cp1252',       'windows-1252',
  84.         '1252',         'koi8-r',       'koi8-ru',      'koi8r',
  85.         'big5',         '950',          'gb2312',       '936',
  86.         'big5-hkscs',   'shift_jis',    'sjis',         'sjis-win',
  87.         'cp932',        '932',          'euc-jp',       'eucjp',
  88.         'eucjp-win',    'macroman'
  89.     );
  90.  
  91.     /**
  92.      * Constructor: Single parameter allows setting of global encoding for use by
  93.      * the current object. If PHP 5.4 is detected, additional ENT_SUBSTITUTE flag
  94.      * is set for htmlspecialchars() calls.
  95.      *
  96.      * @param string $encoding
  97.      * @throws Exception\InvalidArgumentException
  98.      */
  99.     public function __construct($encoding = null)
  100.     {
  101.         if ($encoding !== null) {
  102.             $encoding = (string) $encoding;
  103.             if ($encoding === '') {
  104.                 throw new Exception\InvalidArgumentException(
  105.                     get_class($this) . ' constructor parameter does not allow a blank value'
  106.                 );
  107.             }
  108.  
  109.             $encoding = strtolower($encoding);
  110.             if (!in_array($encoding, $this->supportedEncodings)) {
  111.                 throw new Exception\InvalidArgumentException(
  112.                     'Value of \'' . $encoding . '\' passed to ' . get_class($this)
  113.                     . ' constructor parameter is invalid. Provide an encoding supported by htmlspecialchars()'
  114.                 );
  115.             }
  116.  
  117.             $this->encoding = $encoding;
  118.         }
  119.  
  120.         if (defined('ENT_SUBSTITUTE')) {
  121.             $this->htmlSpecialCharsFlags|= ENT_SUBSTITUTE;
  122.         }
  123.  
  124.         // set matcher callbacks
  125.         $this->htmlAttrMatcher = array($this, 'htmlAttrMatcher');
  126.         $this->jsMatcher       = array($this, 'jsMatcher');
  127.         $this->cssMatcher      = array($this, 'cssMatcher');
  128.     }
  129.  
  130.     /**
  131.      * Return the encoding that all output/input is expected to be encoded in.
  132.      *
  133.      * @return string
  134.      */
  135.     public function getEncoding()
  136.     {
  137.         return $this->encoding;
  138.     }
  139.  
  140.     /**
  141.      * Escape a string for the HTML Body context where there are very few characters
  142.      * of special meaning. Internally this will use htmlspecialchars().
  143.      *
  144.      * @param string $string
  145.      * @return string
  146.      */
  147.     public function escapeHtml($string)
  148.     {
  149.         $result = htmlspecialchars($string, $this->htmlSpecialCharsFlags, $this->encoding);
  150.         return $result;
  151.     }
  152.  
  153.     /**
  154.      * Escape a string for the HTML Attribute context. We use an extended set of characters
  155.      * to escape that are not covered by htmlspecialchars() to cover cases where an attribute
  156.      * might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE).
  157.      *
  158.      * @param string $string
  159.      * @return string
  160.      */
  161.     public function escapeHtmlAttr($string)
  162.     {
  163.         $string = $this->toUtf8($string);
  164.         if ($string === '' || ctype_digit($string)) {
  165.             return $string;
  166.         }
  167.  
  168.         $result = preg_replace_callback('/[^a-z0-9,\.\-_]/iSu', $this->htmlAttrMatcher, $string);
  169.         return $this->fromUtf8($result);
  170.     }
  171.  
  172.     /**
  173.      * Escape a string for the Javascript context. This does not use json_encode(). An extended
  174.      * set of characters are escaped beyond ECMAScript's rules for Javascript literal string
  175.      * escaping in order to prevent misinterpretation of Javascript as HTML leading to the
  176.      * injection of special characters and entities. The escaping used should be tolerant
  177.      * of cases where HTML escaping was not applied on top of Javascript escaping correctly.
  178.      * Backslash escaping is not used as it still leaves the escaped character as-is and so
  179.      * is not useful in a HTML context.
  180.      *
  181.      * @param string $string
  182.      * @return string
  183.      */
  184.     public function escapeJs($string)
  185.     {
  186.         $string = $this->toUtf8($string);
  187.         if ($string === '' || ctype_digit($string)) {
  188.             return $string;
  189.         }
  190.  
  191.         $result = preg_replace_callback('/[^a-z0-9,\._]/iSu', $this->jsMatcher, $string);
  192.         return $this->fromUtf8($result);
  193.     }
  194.  
  195.     /**
  196.      * Escape a string for the URI or Parameter contexts. This should not be used to escape
  197.      * an entire URI - only a subcomponent being inserted. The function is a simple proxy
  198.      * to rawurlencode() which now implements RFC 3986 since PHP 5.3 completely.
  199.      *
  200.      * @param string $string
  201.      * @return string
  202.      */
  203.     public function escapeUrl($string)
  204.     {
  205.         return rawurlencode($string);
  206.     }
  207.  
  208.     /**
  209.      * Escape a string for the CSS context. CSS escaping can be applied to any string being
  210.      * inserted into CSS and escapes everything except alphanumerics.
  211.      *
  212.      * @param string $string
  213.      * @return string
  214.      */
  215.     public function escapeCss($string)
  216.     {
  217.         $string = $this->toUtf8($string);
  218.         if ($string === '' || ctype_digit($string)) {
  219.             return $string;
  220.         }
  221.  
  222.         $result = preg_replace_callback('/[^a-z0-9]/iSu', $this->cssMatcher, $string);
  223.         return $this->fromUtf8($result);
  224.     }
  225.  
  226.     /**
  227.      * Callback function for preg_replace_callback that applies HTML Attribute
  228.      * escaping to all matches.
  229.      *
  230.      * @param array $matches
  231.      * @return string
  232.      */
  233.     protected function htmlAttrMatcher($matches)
  234.     {
  235.         $chr = $matches[0];
  236.         $ord = ord($chr);
  237.  
  238.         /**
  239.          * The following replaces characters undefined in HTML with the
  240.          * hex entity for the Unicode replacement character.
  241.          */
  242.         if (($ord <= 0x1f && $chr != "\t" && $chr != "\n" && $chr != "\r")
  243.             || ($ord >= 0x7f && $ord <= 0x9f)
  244.         ) {
  245.             return '&#xFFFD;';
  246.         }
  247.  
  248.         /**
  249.          * Check if the current character to escape has a name entity we should
  250.          * replace it with while grabbing the integer value of the character.
  251.          */
  252.         if (strlen($chr) > 1) {
  253.             $chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
  254.         }
  255.  
  256.         $hex = bin2hex($chr);
  257.         $ord = hexdec($hex);
  258.         if (isset(static::$htmlNamedEntityMap[$ord])) {
  259.             return '&' . static::$htmlNamedEntityMap[$ord] . ';';
  260.         }
  261.  
  262.         /**
  263.          * Per OWASP recommendations, we'll use upper hex entities
  264.          * for any other characters where a named entity does not exist.
  265.          */
  266.         if ($ord > 255) {
  267.             return sprintf('&#x%04X;', $ord);
  268.         }
  269.         return sprintf('&#x%02X;', $ord);
  270.     }
  271.  
  272.     /**
  273.      * Callback function for preg_replace_callback that applies Javascript
  274.      * escaping to all matches.
  275.      *
  276.      * @param array $matches
  277.      * @return string
  278.      */
  279.     protected function jsMatcher($matches)
  280.     {
  281.         $chr = $matches[0];
  282.         if (strlen($chr) == 1) {
  283.             return sprintf('\\x%02X', ord($chr));
  284.         }
  285.         $chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
  286.         return sprintf('\\u%04s', strtoupper(bin2hex($chr)));
  287.     }
  288.  
  289.     /**
  290.      * Callback function for preg_replace_callback that applies CSS
  291.      * escaping to all matches.
  292.      *
  293.      * @param array $matches
  294.      * @return string
  295.      */
  296.     protected function cssMatcher($matches)
  297.     {
  298.         $chr = $matches[0];
  299.         if (strlen($chr) == 1) {
  300.             $ord = ord($chr);
  301.         } else {
  302.             $chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
  303.             $ord = hexdec(bin2hex($chr));
  304.         }
  305.         return sprintf('\\%X ', $ord);
  306.     }
  307.  
  308.     /**
  309.      * Converts a string to UTF-8 from the base encoding. The base encoding is set via this
  310.      * class' constructor.
  311.      *
  312.      * @param string $string
  313.      * @throws Exception\RuntimeException
  314.      * @return string
  315.      */
  316.     protected function toUtf8($string)
  317.     {
  318.         if ($this->getEncoding() === 'utf-8') {
  319.             $result = $string;
  320.         } else {
  321.             $result = $this->convertEncoding($string, 'UTF-8', $this->getEncoding());
  322.         }
  323.  
  324.         if (!$this->isUtf8($result)) {
  325.             throw new Exception\RuntimeException(sprintf(
  326.                 'String to be escaped was not valid UTF-8 or could not be converted: %s', $result
  327.             ));
  328.         }
  329.  
  330.         return $result;
  331.     }
  332.  
  333.     /**
  334.      * Converts a string from UTF-8 to the base encoding. The base encoding is set via this
  335.      * class' constructor.
  336.      * @param string $string
  337.      * @return string
  338.      */
  339.     protected function fromUtf8($string)
  340.     {
  341.         if ($this->getEncoding() === 'utf-8') {
  342.             return $string;
  343.         }
  344.  
  345.         return $this->convertEncoding($string, $this->getEncoding(), 'UTF-8');
  346.     }
  347.  
  348.     /**
  349.      * Checks if a given string appears to be valid UTF-8 or not.
  350.      *
  351.      * @param string $string
  352.      * @return bool
  353.      */
  354.     protected function isUtf8($string)
  355.     {
  356.         return ($string === '' || preg_match('/^./su', $string));
  357.     }
  358.  
  359.     /**
  360.      * Encoding conversion helper which wraps iconv and mbstring where they exist or throws
  361.      * and exception where neither is available.
  362.      *
  363.      * @param string $string
  364.      * @param string $to
  365.      * @param array|string $from
  366.      * @throws Exception\RuntimeException
  367.      * @return string
  368.      */
  369.     protected function convertEncoding($string, $to, $from)
  370.     {
  371.         $result = '';
  372.         if (function_exists('iconv')) {
  373.             $result = iconv($from, $to, $string);
  374.         } elseif (function_exists('mb_convert_encoding')) {
  375.             $result = mb_convert_encoding($string, $to, $from);
  376.         } else {
  377.             throw new Exception\RuntimeException(
  378.                 get_class($this)
  379.                 . ' requires either the iconv or mbstring extension to be installed'
  380.                 . ' when escaping for non UTF-8 strings.'
  381.             );
  382.         }
  383.  
  384.         if ($result === false) {
  385.             return ''; // return non-fatal blank string on encoding errors from users
  386.         }
  387.         return $result;
  388.     }
  389. }
# Change User Description Committed
#1 18334 Liz Lam initial add of jambox 9 years ago